Re: [Fed-Talk] The Joys of FIPS
Re: [Fed-Talk] The Joys of FIPS
- Subject: Re: [Fed-Talk] The Joys of FIPS
- From: "Walls, Bryan K. (MSFC-EO50)" <email@hidden>
- Date: Fri, 20 Sep 2013 18:22:54 +0000
- Thread-topic: [Fed-Talk] The Joys of FIPS
Perhaps the point is that all of the NSA discussion has moved the "FIPS 140-2 Compliant" label from having the connotation of "this was secure two years ago" that we're all used to into "this may be PWND by the NSA." Which is bad news for those of us who need
it, since it makes even less of an attractive investment for companies like Apple.
What's your take on the time table for iOS7 being FIPS 140-2 Compliant? Is the pipeline any shorter now than for iOS 6?
On Sep 20, 2013, at 1:12 PM, "Shawn A. Geddis" < email@hidden>
wrote:
On Sep 19, 2013, at 5:23 PM, Todd Heberlein < email@hidden> wrote:
Somewhat outside of Apple’s wheelhouse, but lots of emails have come across this list discussing Apple getting FIPS approval. I thought that made this article somewhat interesting. Maybe FIPS will be seen as a drawback now for some Apple markets (like Apple’s
2nd biggest market). :-\
(NOTE: As far as I know, the so-called “backdoor” is still only hypothetical)
(NOTE 2: I added the underline in the quote below)
Stop using NSA-influenced code in our products, RSA tells customers
Officials from RSA Security are advising customers of the company's BSAFE toolkit and Data Protection Manager to stop using a crucial cryptography component in the products that was recently revealed to contain a backdoor engineered
by the National Security Agency.
The BSAFE library is used to implement cryptographic functions into products, including at least some versions of the McAfee Firewall Enterprise Control Center, according to NIST certifications.
McAfee representatives issued a statement that confirmed the McAfee Firewall Enterprise Control Center 5.3.1 supported the Dual_EC_DRBG, but only when deployed in federal government or government contractor customer environments,
where this FIPS certification has recommended it.
Todd,
What is the connection you are retrying to draw with respect to Apple’s Cryptography and FIPS 140-2 Module Validation ?
The modules neither use BSAFE nor Dual_EC_DRBG and none of the source code was influenced by any government agency.
- Shawn
________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Enterprise Division
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
|
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden